b'  DEPARTMENT OF HOMELAND SECURITY\n      Office of Inspector General\n\n\n    Evaluation of DHS\xe2\x80\x99 Information Security \n\n         Program for Fiscal Year 2008 \n\n\n\n\n\nOIG-08-94                       September 2008\n\x0c\x0cTable of Contents/Abbreviations \n\n\n  Executive Summary ....................................................................................................................... 1 \n\n\n  Background .................................................................................................................................... 2 \n\n\n  Results of Independent Evaluation ................................................................................................ 4 \n\n\n  Recommendations........................................................................................................................ 16 \n\n\n  Management Comments and OIG Analysis ................................................................................ 17 \n\n\nAppendices\n\n  Appendix A:                Purpose, Scope, and Methodology.................................................................. 20 \n\n  Appendix B:                Management Response to Draft Report.......................................................... 22 \n\n  Appendix C:                FISMA Scorecard and C&A Steady State Scorecard for July 2008............... 25 \n\n  Appendix D:                FISMA System Inventory and Certification and Accreditation, Security \n\n                             Controls Testing, and Contingency Plan Testing ........................................... 27 \n\n  Appendix E:                Evaluation of Agency Oversight of Contractor Systems and Quality of\n\n                             Agency System Inventory............................................................................... 29 \n\n  Appendix F:                Evaluation of Agency Plan of Action and Milestones Process....................... 31 \n\n  Appendix G:                IG Assessment of the Certification and Accreditation Process ...................... 32 \n\n  Appendix H:                IG Assessment of Agency Privacy Program and Privacy Impact \n\n                             Assessment Process ........................................................................................ 33 \n\n  Appendix I:                Configuration Management ............................................................................ 34 \n\n  Appendix J:                Incident Reporting .......................................................................................... 35 \n\n  Appendix K:                Security Awareness Training, Collaborative Web Technologies, and \n\n                             Peer-to-Peer File Sharing, and E-Authentication Risk Assessments ............. 36 \n\n  Appendix L:                Major Contributors to this Report................................................................... 37 \n\n  Appendix M:                Report Distribution ......................................................................................... 38 \n\n\nAbbreviations\n  ATO                        Authority to Operate    \n\n  C&A                        Certification and Accreditation   \n\n  CBP                        United States Customs and Border Protection \n\n  CIO                        Chief Information Officer \n\n  CISO                       Chief Information Security Officer   \n\n  DHS                        Department of Homeland Security     \n\n  FDCC                       Federal Desktop Core Configuration     \n\n  FEMA                       Federal Emergency Management Agency        \n\n  FIPS                       Federal Information Processing Standards    \n\n\n                           Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2008\n\x0cTable of Contents/Abbreviations \n\n  FISMA              Federal Information Security Management Act\n  FLETC              Federal Law Enforcement Training Center\n  FY                 Fiscal Year\n  ICE                United States Immigration and Customs Enforcement\n  ISSM               Information Systems Security Manager\n  ISSO               Information Systems Security Officer\n  IT                 Information Technology\n  Management         Management Directorate\n  NFRs               Notice of Findings and Recommendations\n  NIST               National Institute of Standards and Technology\n  OIG                Office of Inspector General\n  OIS                Office of Information Security\n  OMB                Office of Management and Budget\n  PIA                Privacy Impact Assessment\n  PII                Personally Identifiable Information\n  POA&M              Plan of Action and Milestones\n  PTA                Privacy Threshold Analysis\n  SP                 Special Publication\n  S&T                Science and Technology\n  Training Office    Information Security Training, Education, and Awareness Office\n  TSA                Transportation Security Administration\n  USCG               United States Coast Guard\n  USCIS              United States Citizenship and Immigration Services\n  USSS               United States Secret Service\n\n\n\n\n                    Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2008\n\x0cOIG \n\nDepartment of Homeland Security\nOffice of Inspector General\n\nExecutive Summary\n                We conducted an independent evaluation of the Department of\n                Homeland Security (DHS\xe2\x80\x99) information security program and practices\n                to comply with the requirements of the Federal Information Security\n                Management Act of 2002 (Public Law 107-347, Sections 301-305). We\n                evaluated the department\xe2\x80\x99s progress in implementing its agency-wide\n                information security program. In doing so, we specifically assessed the\n                department\xe2\x80\x99s Plan of Action and Milestones (POA&M), as well as its\n                certification and accreditation (C&A) processes. We also performed an\n                assessment of the department\xe2\x80\x99s privacy program. Fieldwork was\n                performed at both the program and component levels.\n\n                The department continues to improve and strengthen its security\n                program. During the past year, the department implemented a\n                performance plan to improve on four key areas: POA&M weaknesses\n                remediation, quality of C&A, annual testing and validation, and\n                security program oversight. The performance plan tracks key elements\n                that are indicative of a strong security program. In addition, the\n                department strengthened its oversight at the components and conducted\n                compliance reviews in the areas of C&A and configuration\n                management. While these efforts have resulted in some improvements,\n                components are still not executing all of the department\xe2\x80\x99s policies,\n                procedures, and practices. For example, the more significant\n                exceptions noted are:\n                \xe2\x80\xa2\t Systems are being accredited though key documents and key\n                    information are missing.\n                \xe2\x80\xa2\t POA&Ms are not being created for all known information security\n                    weaknesses.\n                \xe2\x80\xa2\t POA&M weaknesses are not being mitigated in a timely manner.\n                \xe2\x80\xa2\t Baseline security configurations are not being implemented for all\n                    systems.\n                Management oversight of the components\xe2\x80\x99 implementation of the\n                department\xe2\x80\x99s policies and procedures needs improvement in order for\n                the department to ensure that all information security weaknesses are\n                tracked and remediated, and enhance the quality of system C&A.\n                Additional information security program areas that need improvement\n                include configuration management, incident detection and analysis,\n                specialized training, and privacy.\n\n                  Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2008\n\n                                             Page 1\n\x0c                  We are making nine recommendations to the Chief Information Officer\n                  and Chief Privacy Officer. The department concurred with all our\n                  recommendations and has already begun to take actions to implement\n                  them. The department\xe2\x80\x99s response is summarized and evaluated in the\n                  body of this report and included, in its entirety, as Appendix B.\n\nBackground\n                  Due to the increasing threat to information systems and the highly\n                  networked nature of the federal computing environment, the Congress,\n                  in conjunction with the Office of Management and Budget (OMB),\n                  requires an annual review and reporting of agencies\xe2\x80\x99 compliance with\n                  the Federal Information Security Management Act (FISMA). FISMA\n                  focuses on the program management, implementation, and evaluation\n                  of the security of unclassified and national security systems.\n\n                  Recognizing the importance of information security to the economic\n                  and national security interests of the United States, the Congress\n                  enacted Title III of the E-Government Act of 2002 (Public Law\n                  107-347, Sections 301-305) to improve security within the federal\n                  government. Information security means protecting information and\n                  information systems from unauthorized access, use, disclosure,\n                  disruption, modification, or destruction. Title III of the E-Government\n                  Act, entitled FISMA, provides a comprehensive framework to ensure\n                  the effectiveness of security controls over information resources that\n                  support federal operations and assets.\n\n                  FISMA requires each federal agency to develop, document, and\n                  implement an agency-wide security program. The agency\xe2\x80\x99s security\n                  program should protect the information and the information systems\n                  that support the operations and assets of the agency, including those\n                  provided or managed by another agency, contractor, or other source.\n                  As specified in FISMA, agency heads are charged with conducting an\n                  annual evaluation of information programs and systems under their\n                  purview, as well as an assessment of related security policies and\n                  procedures. Offices of Inspector General (OIG) must independently\n                  evaluate the effectiveness of an agency\xe2\x80\x99s information security program\n                  and practices on an annual basis.\n\n                  OMB issued memorandum M-08-21, FY 2008 Reporting Instructions\n                  for the Federal Information Security Management Act and Agency\n                  Privacy Management, on July 14, 2008. The memorandum provides\n                  updated instructions for agency and OIG reporting under FISMA. In\n\n             Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2008\n\n                                            Page 2\n\x0c     accordance with OMB\xe2\x80\x99s reporting instructions, this annual evaluation\n     summarizes the results of our review of DHS\xe2\x80\x99 information security\n     program and practices.\n\n     The Chief Information Security Officer (CISO) leads the Office of\n     Information Security (OIS) and is responsible for managing DHS\xe2\x80\x99\n     information security program. To aid in managing its security program,\n     DHS developed a process for reporting and capturing known security\n     weaknesses in its POA&Ms. DHS uses an enterprise management tool\n     to collect and track data related to all POA&M activities, including\n     weaknesses identified during self-assessment and the C&A process.\n     DHS\xe2\x80\x99 enterprise management tool also collects data on other FISMA\n     metrics, such as the number of systems that have implemented DHS\xe2\x80\x99\n     security baseline configurations and the number of employees who\n     have received information technology (IT) security training.\n\n     In addition, DHS uses an enterprise-wide C&A tool to automate and\n     standardize portions of the C&A process to assist DHS components in\n     quickly and efficiently developing their security accreditation packages.\n     Below is an illustration on how the enterprise management and C&A\n     tools are used within the department to collect, manage, and report\n     information security metrics.\n\n                   DHS\xe2\x80\x99 Enterprise Security Management Tools Usage\n\n             DHS 4300                                            C&A Tool                                       Data Review Teams\n\n        FISMA Requirements                               System Security Plan (SSP)                                   DHS\n                                                                                                                   Compliance\n         OMB/NIST Guidance                        Requirements Traceability Matrix (RTM)                             Review\n                                                                                                                     Teams\n                                                      Security Assessment Report (SAR)\n         Other Requirements\n                                                          Sample Test Procedures\n                  Component IT Security                                                                               OIG\n                  Program Implementation                        Test Results\n\n                                                             Contingency Plans              Data Verification\n                             IT System                                                          and Review\n                        Implementations                                                                            Component/\n                                                                                                                    Domain\n                                                                      Future Link                                    ISSM\n              DHS\n           Component/\n                                                         FISMA Reporting Tool\n             Domain\n\n                                                   System and Program Security Metrics\n                            Monthly Status\n                            Updates               Plan of Action and Milestones (POA&M)\n                                                                                           FISMA Reports              OMB\n                                                      Annual Assessment Questionnaire\n\n                                                        Summary of C&A Status/Docs\n\n                                                                  Reports\n\n                                                             Digital Dashboard              Metrics\n                                                                                                                     DHS\n                                                                                            Digital Dashboard     Management\n\n\n\n\n     Source: DHS 4300A Sensitive Systems Handbook, Attachment E \xe2\x80\x93 FISMA Reporting\n\n\nEvaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2008\n\n                                             Page 3\n\x0cResults of Independent Evaluation\n                We separated the results of our evaluation into seven FISMA areas.\n                For each area, we identified the progress that DHS has made since our\n                Fiscal Year (FY) 2007 evaluation and those issues that need to be\n                addressed to be more successful in the FISMA area.\n\n          OVERALL PROGRESS\n\n                \xe2\x80\xa2\t The CISO developed the Fiscal Year 2008 DHS Information\n                   Security Performance Plan \xe2\x80\x9cAchieving Excellence\xe2\x80\x9d to enhance its\n                   information security program. The purpose of the plan is to\n                   strengthen components\xe2\x80\x99 compliance with DHS\xe2\x80\x99 security program\n                   and to improve the department\xe2\x80\x99s incident response capability\n                   through the development of a robust Network Operations/Security\n                   Operations Center. The CISO developed a FISMA scorecard to\n                   manage components\xe2\x80\x99 compliance with the performance plan. See\n                   Appendix C for an example of the FISMA scorecard.\n                \xe2\x80\xa2\t The CISO revised the department\xe2\x80\x99s baseline IT security policies and\n                   procedures in DHS Sensitive Systems Policy Directive 4300A and its\n                   companion, DHS 4300A Sensitive Systems Handbook to reflect the\n                   changes made in DHS security policies and various National\n                   Institute of Standards and Technology (NIST) guidance.\n                \xe2\x80\xa2\t   DHS continues to maintain an effective process to update and\n                     manage an inventory of its agency and contractor systems on an\n                     annual basis. In addition, DHS conducted site visits to component\n                     offices outside the Washington D.C. area to determine whether\n                     there were any systems that had not been identified by the\n                     Information Systems Security Manager (ISSM) during the annual\n                     system inventory reviews.\n                \xe2\x80\xa2\t   DHS has taken an active role in ensuring that components comply\n                     with FISMA. The CISO implemented more stringent criteria for\n                     reviewing the artifacts that components are required to upload into\n                     the department\xe2\x80\x99s enterprise management tool, in order to support\n                     their C&A packages. See Appendix C for FY 2008 grades assigned\n                     by the CISO.\n                \xe2\x80\xa2\t   The CISO established a new in-depth review team. The team\n                     conducted site-visits at 10 components to determine whether DHS\n                     security requirements had been implemented on selected systems.\n                     As of July 2008, the team had reviewed 11 systems at 10\n                     components. DHS plans to review 25 to 40 percent of its systems\n                     in FY 2009.\n\n           Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2008\n\n                                          Page 4\n\x0c       \xe2\x80\xa2\t   The CISO established a new configuration management compliance\n            team and randomly selected 23 systems at 7 components to evaluate\n            their configuration management processes and determine whether\n            DHS\xe2\x80\x99 baseline configuration settings had been implemented.\n       \xe2\x80\xa2\t   The Office of Human Capital implemented a department-wide,\n            web-based learning management system \xe2\x80\x9cDHScovery.\xe2\x80\x9d The\n            implementation of DHScovery can assist DHS in standardizing\n            security awareness training and track employee completion of the\n            training.\n\nOVERALL ISSUES TO BE ADDRESSED\n\n       Despite the progress described above, the results of our review revealed\n       that components are still not executing fully the department\xe2\x80\x99s policies,\n       procedures, and practices. For example, we determined:\n\n       \xe2\x80\xa2\t   Artifacts required to support the systems that have been accredited\n            by the components were either missing key information or\n            incomplete.\n       \xe2\x80\xa2\t   Components have not incorporated all known security weaknesses\n            into their POA&Ms.\n       \xe2\x80\xa2\t   Components have not fully implemented DHS\xe2\x80\x99 baseline\n            configuration settings.\n       \xe2\x80\xa2\t   DHS does not have an automated process for maintaining and\n            tracking its classified POA&Ms.\n       \xe2\x80\xa2\t   Appropriate training is needed for all individuals with significant\n            security responsibilities.\n       \xe2\x80\xa2\t   Escalation process is needed for privacy impact assessments (PIA)\n            that have been in the review and approval process for an extended\n            period of time.\n\nSystem Inventory\n\n       DHS maintains an effective process to update and manage its systems\n       inventory on an annual basis, including agency and contractor systems.\n       In addition, DHS also conducts site visits to identify systems that were\n       not included in the department\xe2\x80\x99s annual inventory update process.\n\n\n\n\n  Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2008\n\n                                 Page 5\n\x0c                           PROGRESS\n\n                           \xe2\x80\xa2\t   DHS continues to maintain a comprehensive inventory of its major\n                                applications and general support systems, including contractor\n                                systems. As of July 31, 2008, DHS identified 591 operational\n                                systems.\n                           \xe2\x80\xa2\t   DHS continues to maintain an effective process to update and\n                                manage its inventory on an annual basis for agency and contractor\n                                systems by reviewing the system inventory with each component.\n                           \xe2\x80\xa2\t   DHS conducts site visits to component offices outside the\n                                Washington D.C. area to determine whether there are any systems\n                                that had not been identified by the ISSM during the annual system\n                                inventory update process.\n\n                           See Appendices D and E for system inventory and evaluation of DHS\xe2\x80\x99\n                           oversight of contractor systems and quality of system inventory.\n\n                   Certification and Accreditation Process\n\n                           DHS requires components to use an enterprise-wide tool that\n                           incorporates NIST security controls required for system C&A. The\n                           C&A process requires documentation to include system security plans,\n                           risk assessments, system test and evaluation plans, security assessment\n                           reports, contingency plans, and contingency plan test results.\n                           Components are required to apply NIST Special Publication\n                           (SP) 800-53 security controls for all system C&A and self-assessments.\n                           For some of the systems that have been accredited by the components,\n                           the artifacts required to support the C&A were either missing or\n                           incomplete. In addition, some of the self-assessments were not being\n                           properly completed by the components. We identified a similar issue in\n                           our FY 2007 FISMA report.1\n\n                           PROGRESS\n\n                           \xe2\x80\xa2\t   DHS continues to require components to upload 11 C&A artifacts\n                                into its enterprise management tool to monitor the progress in\n                                accrediting systems. The 11 artifacts are: Authority to Operate\n                                (ATO) letter, system security plan, security assessment report, risk\n                                assessment, security test and evaluation, contingency plan,\n                                contingency plan test results, Federal Information Processing\n                                Standards (FIPS) 199 determination, E-authentication\n\n1\n    Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2007 (OIG-07-77, September 2007).\n\n                      Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2008\n\n                                                     Page 6\n\x0c          determination, privacy threshold analysis (PTA), and NIST \n\n          SP 800-53 self-assessment. \n\n     \xe2\x80\xa2\t   As of July 31, 2008, the CISO reported that 95 percent of DHS\xe2\x80\x99\n          operational systems (560/591) have been certified and accredited.\n     \xe2\x80\xa2\t   The quality of C&A packages has improved in FY 2008, when\n          compared to FY 2007. Specifically, only two of the 25 systems we\n          evaluated this year had incomplete C&A packages where key\n          security documents were missing, compared to 17 of 28 incomplete\n          C&A packages reported in FY 2007. However, we continued to\n          identify instances where required information was missing from\n          security documents.\n\n     ISSUES TO BE ADDRESSED\n\n     \xe2\x80\xa2\t   Systems were being accredited without key documents or where\n          C&A documents were missing key information. We selected 25\n          systems from 12 components and offices to evaluate the quality of\n          DHS\xe2\x80\x99 C&A process. For two systems, the accreditation packages\n          were incomplete as key security documents were missing. For\n          other systems, we identified that some of the required security\n          documents were missing key information. Without this\n          information, agency officials cannot make credible, risk-based\n          decisions on whether to authorize the system to operate.\n          Specifically, we determined:\n              \xc2\xbe\t Five instances where the FIPS-199 determination was not\n                 completed in accordance with applicable DHS and NIST\n                 guidance.\n              \xc2\xbe\t Twenty-two instances where system security plans were\n                 missing sections that describe detailed emergency\n                 configuration changes, management plans, security controls,\n                 and incident handling procedures.\n              \xc2\xbe\t Nineteen instances where contingency plans were\n                 incomplete, missing the identification of alternate\n                 processing facilities or restoration procedures. One of the\n                 contingency plans reviewed was more than four years old.\n              \xc2\xbe\t Three instances where the contingency plans had not been\n                 tested. Some of the contingency plans could not be tested\n                 because the alternate processing facilities were not\n                 operational.\n              \xc2\xbe\t Eleven instances where some of the required critical security\n                 controls were not included in the system test and evaluation\n                 plan.\n\n\nEvaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2008\n\n                               Page 7\n\x0c     \xe2\x80\xa2\t   As part of the C&A review, we also evaluated the quality of\n          completed NIST SP 800-53 self-assessments. For example, we\n          evaluated whether the components provided a compliance\n          description for all applicable controls on how they were\n          implemented. In addition, we evaluated whether supporting\n          documentation existed for all controls that were reported as\n          \xe2\x80\x9ctested\xe2\x80\x9d. Finally, we evaluated the adequacy of justification for any\n          controls that were reported as \xe2\x80\x9cnot applicable\xe2\x80\x9d; and whether a\n          POA&M was created for all required controls that had not been\n          tested. For example:\n              \xc2\xbe\t Twelve instances where some controls, required by DHS\n                 and NIST, were missing from the templates used.\n              \xc2\xbe\t Twenty three instances where some required controls were\n                 not tested; did not include validation and verification\n                 testing; or were missing documentation to support that\n                 testing was performed. Examples of these instances were\n                 found in the areas of access control, configuration\n                 management, contingency planning, and risk assessment.\n\n     \xe2\x80\xa2\t   During our configuration assessment, we identified instances where\n          the system security plans did not accurately reflect the system\n          boundary or a description of hardware and software installed.\n          Without this information, agency officials cannot make credible,\n          risk-based decisions to accredit the systems.\n     \xe2\x80\xa2\t   Components did not follow applicable guidance when performing\n          E-Authentication determinations. We sampled 23 systems that\n          were reported as E-Authentication applications in DHS\xe2\x80\x99 enterprise\n          management tool to determine whether the assessments were\n          properly completed and applicable controls were implemented. For\n          example, we found:\n              \xc2\xbe\t Nine systems were reported incorrectly as E-Authentication\n                 applications in DHS\xe2\x80\x99 enterprise management tool, when\n                 compared to the E-Authentication determination. As such,\n                 DHS may not have an accurate inventory of its\n                 E-Authentication systems.\n              \xc2\xbe\t Four of the 14 E-Authentication systems had inconsistent\n                 assurance levels reported in DHS\xe2\x80\x99 enterprise management\n                 tool when compared to the source documents. Only one of\n                 the 14 E-Authentication systems properly addressed the\n                 DHS and NIST required controls in the system test and\n                 evaluation plans and security assessment reports for the\n                 assigned E-Authentication assurance levels.\n\n\nEvaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2008\n\n                               Page 8\n\x0c       See Appendix G for the OIG assessment of DHS\xe2\x80\x99 C&A process.\n\nPlan of Action and Milestones Process\n\n       DHS requires components to use its enterprise management tool to\n       capture and track security weaknesses. The components are not\n       entering and tracking all IT security weaknesses in DHS\xe2\x80\x99 enterprise\n       management tool nor is all of the data entered by the components\n       accurate and updated in a timely manner. We identified a similar issue\n       in our FY 2007 FISMA report.\n\n       PROGRESS\n\n       \xe2\x80\xa2\t   DHS continues to conduct monthly reviews of POA&Ms for\n            completeness and also monitors the closure rate for initial and\n            repeat audit findings. The findings are reported to OIS and\n            components.\n       \xe2\x80\xa2\t   Components have created POA&Ms for 182 of 200 (91%) notice of\n            findings and recommendations (NFRs) for the weaknesses\n            identified during the FY 2007 financial statement audit.\n       \xe2\x80\xa2\t   As required by DHS policy, ISSMs are to review and approve all\n            priority 4 and priority 5 POA&Ms to ensure that the weakness is\n            properly identified, prioritized, and that appropriate resources have\n            been made available. Priority 4 weaknesses are assigned to initial\n            audit findings and priority 5 weaknesses for repeat audit findings.\n            As of June 30, 2008, there were 198 POA&Ms that were classified\n            as priority 4 and priority 5 weaknesses, all of which had been\n            reviewed and approved by the ISSMs.\n\n       ISSUES TO BE ADDRESSED\n\n       \xe2\x80\xa2\t   DHS components have not created POA&Ms for all known security\n            weaknesses. DHS relies on the component ISSMs and Information\n            Systems Security Officers (ISSOs) to ensure that POA&M\n            information is entered accurately and that weaknesses are resolved.\n            During our review, component personnel cited a lack of time and\n            staff as the explanation that their POA&Ms are not being updated\n            regularly. For example, we identified:\n                \xc2\xbe\t Four components (Federal Emergency Management Agency\n                   [FEMA], Immigration and Customs Enforcement [ICE],\n                   Management Directorate [Management], and United States\n                   Customs and Border Protection [CBP]) did not create\n\n\n  Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2008\n\n                                 Page 9\n\x0c                 POA&Ms for findings identified in OIG audit reports issued\n                 during FY 2008.\n              \xc2\xbe\t Although two components (CBP and Science and\n                 Technology [S&T]) followed a manual process for\n                 maintaining classified POA&Ms, there is no evidence of\n                 periodic updates, ISSM reviews, or these weaknesses were\n                 properly prioritized. FEMA has not implemented a process\n                 for maintaining and tracking its classified POA&Ms.\n              \xc2\xbe\t Components are not creating a POA&M for the weaknesses\n                 identified during the C&A process or from the NIST\n                 SP 800-53 self-assessments. As part of our C&A quality\n                 review, we evaluated whether POA&Ms had been created\n                 for any weakness that was identified during the C&A\n                 process, or from the NIST SP 800-53 self-assessment when\n                 controls had not been tested and where risks were not\n                 accepted. In 13 instances, POA&Ms were not created for\n                 the weaknesses identified during the C&A process. In nine\n                 instances, POA&Ms were not created for required controls\n                 that were not tested as part of NIST SP 800-53\n                 self-assessments.\n\n     \xe2\x80\xa2\t   While weaknesses were identified by the CISO\xe2\x80\x99s in-depth team,\n          components have created POA&Ms for only one of the 11 systems\n          reviewed.\n     \xe2\x80\xa2\t   Based on an analysis of data in DHS\xe2\x80\x99 enterprise management tool,\n          as of June 30, 2008, the ISSMs and ISSOs are not maintaining\n          current information as to the progress of security weakness\n          remediation.\n              \xc2\xbe\t Component management is not updating all weaknesses\n                 where the estimated completion date has been delayed. Of\n                 the 4,245 open POA&Ms with estimated completion dates,\n                 491 (12%) were delayed by at least 3 months (prior to\n                 April 1, 2008). Further, 252 had an estimated completion\n                 date over one year old, dating as far back as\n                 September 30, 2005. In addition, completion dates for 226\n                 of the 252 POA&Ms have not been updated since\n                 March 2006.\n              \xc2\xbe\t Components are required to provide justification as to why\n                 the remediation action for a POA&M is delayed. As of\n                 June 30, 2008, 1,405 (71%) of 1,978 open POA&Ms\n                 identified as delayed did not have an explanation for the\n                 delay.\n\n\n\nEvaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2008\n\n                               Page 10\n\x0c                                    \xc2\xbe\t Resources required for the remediation of 265 (6%) of the\n                                       4,245 open POA&Ms were either not identified or listed the\n                                       cost of remediation as less than $50. DHS requires a\n                                       reasonable resources estimate of at least $50 be provided to\n                                       mitigate the weakness identified.\n\n                           \xe2\x80\xa2\t   Not all POA&Ms are being resolved in a timely manner, including\n                                weaknesses identified as significant deficiencies. As of\n                                June 30, 2008:\n                                    \xc2\xbe\t 282 (7%) of 4,245 open POA&Ms reported had estimated\n                                       completion dates that were more than 2 years after the\n                                       identification of the weakness.\n                                    \xc2\xbe\t 11 open weaknesses are defined as significant deficiencies.\n                                       Five of these 11 significant deficiencies were created more\n                                       than 12 months ago. In addition, four of these five\n                                       significant deficiencies are scheduled to take more than two\n                                       years to complete the mitigation efforts.2\n\n                           See Appendix F for the evaluation of DHS\xe2\x80\x99 POA&M process.\n\n                  Configuration Management\n\n                           DHS has strengthened its oversight at the components. DHS also\n                           issued a baseline configuration guide for the components to follow\n                           when configuring their Windows Vista workstations. To evaluate\n                           components\xe2\x80\x99 compliance with DHS baseline configuration\n                           requirements, we determined whether required configuration settings\n                           had been implemented on the (1) 25 systems selected for our C&A\n                           review, and (2) 28 systems chosen for the configuration assessment.\n                           For the C&A review, we performed testing to determine whether DHS\n                           baseline configuration settings were implemented on selected servers.\n                           During our configuration assessment, we verified whether NIST SP\n                           800-53 controls and DHS baseline configuration settings were\n                           implemented on selected servers through interviews and observations.\n                           Results from both reviews revealed that the components have not\n                           implemented all of the required DHS baseline configuration settings.\n                           We reported a similar issue in our FY2007 FISMA report.\n\n\n2\n  A significant deficiency is a weakness in an organization\xe2\x80\x99s overall IT security program or management control\nstructure that significantly restricts the capability of the component to carry out its mission or compromises the\nsecurity of its information, information system, personnel, or other resources, operations, or assets. The risk is\ngreat enough that the organization head must be notified and immediate or near-immediate corrective action\nmust be taken.\n\n                     Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2008\n\n                                                     Page 11\n\x0c     PROGRESS\n\n     \xe2\x80\xa2\t   The CISO has strengthened its oversight of the components\xe2\x80\x99\n          implementation of DHS\xe2\x80\x99 baseline configuration requirements. One\n          of the objectives of DHS\xe2\x80\x99 configuration management compliance\n          team is to evaluate whether baseline configuration settings are being\n          implemented.\n     \xe2\x80\xa2\t   DHS issued a new baseline configuration guide for Windows Vista\n          in May 2008.\n\n     ISSUES TO BE ADDRESSED\n\n     \xe2\x80\xa2\t   DHS has not implemented the Federal Desktop Core Configuration\n          (FDCC) requirements, as outlined in OMB Memorandums\n          M-07-11, Implementation of Commonly Accepted Security\n          Configurations for Windows Operating Systems, March 22, 2007,\n          and M-07-18, Ensuring New Acquisitions Include Common Security\n          Configurations, June 1, 2007. For example, DHS has not:\n              \xc2\xbe\t Incorporated the standard FDCC contract language into all\n                 IT acquisitions. According to a DHS Procurement official,\n                 the department is in the process of drafting its standardized\n                 FDCC contract language for all IT acquisitions.\n              \xc2\xbe\t Adopted FDCC standard configurations and documented all\n                 deviations from FDCC. According to an official from DHS\xe2\x80\x99\n                 Desktop Working Group, the department is in the process of\n                 documenting the deviations from FDCC requirements.\n              \xc2\xbe\t Implemented FDCC security settings on its Windows XP\n                 and Vista desktops and laptops. Further, DHS has not\n                 established an implementation date for FDCC compliance.\n                 An official from DHS\xe2\x80\x99 Desktop Working Group indicated\n                 that the department could not implement the settings on its\n                 Windows XP and Vista desktop and laptops until all FDCC\n                 deviations are documented.\n\n     \xe2\x80\xa2\t   Components have not fully implemented DHS baseline\n          configuration settings on the systems reviewed. Specifically,\n              \xc2\xbe\t Results from our C&A and configuration reviews indicated\n                 that DHS\xe2\x80\x99 baseline configuration settings have not been\n                 fully implemented on the systems. For example,\n                 components have not fully implemented warning banners, or\n                 enforced password complexities, and audit trail policies.\n                 Note: CISO\xe2\x80\x99s in-depth review team identified similar\n                 findings during their assessments.\nEvaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2008\n\n                               Page 12\n\x0c                                  \xc2\xbe\t Vulnerability assessments performed at components during\n                                     our Automated Commercial Environment, Automated\n                                     Targeting System, Chet Holifield Federal Building, and\n                                     United States Coast Guard (USCG) network security audits\n                                     identified security concerns with access control,\n                                     identification and authentication, and configuration\n                                     management. In these instances, components had not\n                                     configured their systems based on DHS\xe2\x80\x99 configuration\n                                     guidelines. Components included CBP, ICE, and USCG.3\n\n                         \xe2\x80\xa2\t   Components are not performing annual security testing, as required\n                              under FISMA. Some components indicated during our C&A\n                              review that vulnerability scans performed internally or by DHS\n                              Security Operations Center had satisfied this requirement.\n                         \xe2\x80\xa2\t   Components are not conducting periodic configuration management\n                              reviews to evaluate their compliance with DHS baseline settings,\n                              citing a lack of resources and tools.\n                         \xe2\x80\xa2\t   Weak internal IT controls related to financial management systems\n                              were found during the audit of the department\xe2\x80\x99s consolidated\n                              financial statements for FY 2007.4 Security concerns included\n                              inadequate access controls, application controls, software\n                              development, and change controls. Note: POA&Ms have been\n                              created for 182 (91%) of 200 NFRs identified during the financial\n                              statement audit.\n\n                         See Appendix I for information regarding DHS\xe2\x80\x99 configuration\n                         management.\n\n                 Incident Detection, Handling, and Analysis Procedures\n\n                         DHS has established adequate incident detection, handling, and\n                         analysis procedures, but has not fully implemented its vulnerability\n                         assessment program across the department.\n\n\n\n3\n  Progress Has Been Made But More Work Remains in Meeting Homeland Security Presidential Directive 12\nRequirements (OIG-08-01, October 2007); Improved Administration Can Enhance Federal Emergency\nManagement Agency Classified Laptop Computer Security, Unclassified Summary (Report OIG-08-14,\nNovember 2007); Lessons Learned from the August 11, 2007, Network Outage at Los Angeles International\nAirport (OIG-08-58, May 2008); Technical Security Evaluation of U.S. Immigration and Customs Enforcement\nActivities at the Chet Holifield Federal Building (OIG-08-59, May 2008), and Additional Controls Can Enhance\nthe Security of the Automated Commercial Environment System (OIG-08-64, June 2008).\n4\n  Information Technology Management Letter for the FY 2007 DHS Financial Statement Audit (OIG-08-77,\nJune 2008).\n\n                    Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2008\n\n                                                   Page 13\n\x0c       PROGRESS\n\n       \xe2\x80\xa2\t   DHS\xe2\x80\x99 Security Operations Center has performed vulnerability\n            assessment scans at CBP, ICE, and Management.\n\n       ISSUES TO BE ADDRESSED\n\n       \xe2\x80\xa2\t   DHS\xe2\x80\x99 vulnerability assessment program has not been deployed\n            department-wide. The program includes a comprehensive\n            vulnerability alert, assessment, remediation, and reporting process\n            to effectively identify computer security vulnerabilities and track\n            mitigation efforts to resolution. The DHS Security Operations\n            Center only has limited access at six components (CBP, FEMA,\n            Federal Law Enforcement Training Center [FLETC], ICE,\n            Management, and United States Citizenship and Immigration\n            Services [USCIS]) to perform vulnerability scans on selected\n            servers and workstations. Furthermore, some components are not\n            submitting vulnerability assessment schedule, or testing results to\n            DHS\xe2\x80\x99 Security Operations Center, as required.\n       See Appendix J for information regarding DHS\xe2\x80\x99 incident reporting.\n\nSecurity Training\n\n       DHS validates employee security training at the components. The\n       department\xe2\x80\x99s Information Security Training, Education, and Awareness\n       Office (Training Office) has not developed a specific training program\n       for employees with significant security responsibilities.\n\n       PROGRESS\n\n       \xe2\x80\xa2\t   The Office of Human Capital implemented a department-wide,\n            web-based learning management system \xe2\x80\x9cDHScovery.\xe2\x80\x9d The system\n            can be used to provide standardized security awareness training and\n            track employee completion of that training.\n       \xe2\x80\xa2\t   DHS\xe2\x80\x99 Training Office conducts site visits to review and validate\n            training records at the components.\n\n       ISSUES TO BE ADDRESSED\n\n       \xe2\x80\xa2\t   The Training Office has not identified appropriate, specialized\n            security training for employees and contractors with significant IT\n            security responsibilities. While the Training Office validates the\n            specialized training obtained by ISSMs and ISSOs, it relies on the\n\n  Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2008\n\n                                 Page 14\n\x0c                         components to ensure that individuals with significant security\n                         responsibilities (i.e., system administrators, database administrators,\n                         and network administrators, etc.) are properly trained. We reported\n                         a similar issue in our FY 2006 and FY2007 FISMA reports.5\n                    \xe2\x80\xa2\t DHS does not have policy or procedures regarding the use of\n                       Collaborative Web Technologies. In addition, DHS does not\n                       educate users on the risks associated with the use of Collaborative\n                       Web Technologies during security awareness training.\n                    \xe2\x80\xa2\t DHS contractors do not have access to DHScovery or the\n                       standardized security awareness training offered by the system.\n                    \xe2\x80\xa2\t Some employees with significant responsibilities (i.e., database and\n                       system administrators) did not attain sufficient knowledge to\n                       perform their job functions. The results from our configuration\n                       review found that some of the administrators could not execute the\n                       commands needed to demonstrate whether controls were\n                       implemented. Their inability to execute system commands may be\n                       related to the fact that the Training Office and components have not\n                       determined the appropriate specific specialized security training\n                       needed for employees and contractors with significant IT securities\n                       responsibilities.\n                    See Appendix K for information regarding DHS\xe2\x80\x99 security awareness\n                    training.\n\n            Privacy\n\n                    DHS has established a PIA process. In addition, the Privacy Office\n                    continues to refine its PIA guidance. The Privacy Office is\n                    experiencing delays in reviewing and approving PIAs submitted by the\n                    components and has not implemented all requirements specified in\n                    OMB M-07-16, Safeguarding Against and Responding to the Breach of\n                    Personally Identifiable Information, May 22, 2007.\n\n                    PROGRESS\n\n                    \xe2\x80\xa2\t   The Privacy Office has issued new policies since our last review.\n                         For example, the Privacy Office issued:\n                             \xc2\xbe\t Privacy Technology Implementation Guide to aid\n                                technology managers and developers integrate privacy\n                                protections into operational IT systems.\n\n 5\n  Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2006 (OIG-06-62, September 2006),\nand Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2007 (OIG-07-77, September 2007).\n\n               Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2008\n\n                                              Page 15\n\x0c               \xc2\xbe\t Privacy Incident Handling Guidance to inform the\n                  department\xe2\x80\x99s employees, senior officials, and contractors of\n                  their obligation to protect personally identifiable\n                  information (PII) and how to respond in the event of\n                  potential loss or compromise of PII.\n               \xc2\xbe\t A policy to assist components in completing or preparing\n                  Systems of Records and Notices.\n\n      ISSUES TO BE ADDRESSED\n\n      \xe2\x80\xa2\t DHS has not implemented all of the requirements outlined in OMB\n         M-07-16. Specifically, DHS has not defined the consequences for\n         any users who do not comply with the policy.\n      \xe2\x80\xa2\t DHS\xe2\x80\x99 Privacy Office is experiencing delays in reviewing and\n         approving PIAs. As of July 21, 2008, there were 76 PIAs in various\n         stages of review; 20 of these PIAs had been outstanding for more\n         than 8 months.\n      See Appendix H for DHS\xe2\x80\x99 Privacy Program and Privacy Impact\n      Assessment Process.\n\nRecommendations\n      We recommend that the DHS Chief Information Officer:\n      Recommendation #1: Improve the OIS\xe2\x80\x99 review process to ensure that\n      all POA&Ms, including those POA&M for classified systems, are\n      complete, accurate, and current. The department should consider\n      accepting the risks of the remediation actions for any low priority\n      POA&Ms that have been delayed for more than 12 months.\n      Recommendation #2: Ensure that components are utilizing the\n      department\xe2\x80\x99s C&A tool to generate the most current security document\n      templates with all applicable controls when certifying and accrediting\n      their systems. Systems accredited with outdated templates or without\n      all applicable controls should not be accepted.\n      Recommendation #3: Improve its process to ensure that DHS baseline\n      configuration requirements are implemented and maintained on all\n      systems. The process should include testing to verify the\n      implementation of DHS baseline configuration settings.\n      Recommendation #4: Identify the contingency plans for systems with\n      high availability and with alternate processing facilities not operational.\n      The department should consider accepting the risks for the systems\n\n\n\n Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2008\n\n                                Page 16\n\x0c      with high availability and contingency plans cannot be tested for the\n      reason that the alternate processing facilities are not operational.\n      Recommendation #5: Expedite the implementation of a\n      department-wide vulnerability assessment program to perform periodic\n      testing to evaluate the security posture at all components.\n      Recommendation #6: Establish appropriate training that is needed for\n      all individuals with significant security responsibilities to perform their\n      security functions.\n\n      Recommendation #7: Ensure the FDCC requirements outlined in\n      OMB M-07-11 and M-07-18 are implemented expeditiously.\n\n      We recommend that the DHS Chief Privacy Officer:\n      Recommendation #8: Establish an escalation process for any PIAs that\n      have been in the review and approval process for an extended period of\n      time.\n\n      Recommendation #9: Define the consequences of non-compliance by\n      system users, in accordance with the requirements outlined in OMB\n      M-07-16.\n\nManagement Comments and OIG Analysis\n      DHS concurred with recommendation 1. DHS has begun the\n      procurement and installation of a system to manage its classified\n      POA&Ms. The department anticipates that this system will be\n      operational by the first quarter of FY 2009.\n\n      We agree that the steps DHS plans to take satisfy this recommendation.\n\n      DHS concurred with recommendation 2. The department has revised\n      its FY 2009 Information Security Performance Plan to further improve\n      the quality of its C&A process. In addition, revised versions of the\n      DHS C&A document templates will be implemented in the first quarter\n      of FY 2009.\n\n      We agree that the steps DHS plans to take satisfy this recommendation.\n\n      DHS concurred with recommendation 3. The department has revised\n      its FY 2009 Information Security Performance Plan to include\n      additional reporting requirements regarding configuration management.\n\n      We agree that the steps DHS plans to take satisfy this recommendation.\n\n Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2008\n\n                                Page 17\n\x0c     DHS concurred with recommendation 4. DHS has begun to identify\n     the systems with \xe2\x80\x9cHigh Availability\xe2\x80\x9d to determine the scope of work\n     associated with the implementation of an alternative processing center\n     across the department.\n\n     We agree that the steps DHS plans to take satisfy this recommendation.\n\n     DHS concurred with recommendation 5. The DHS Security Operations\n     Center (SOC), in support of the DHS FY09 Information Security\n     Performance Plan, has begun to establish additional metrics to evaluate\n     the visibility needed to implement an effective department-wide\n     Vulnerability Assessment program.\n\n     We agree that the steps DHS plans to take satisfy this recommendation.\n\n     DHS concurred with recommendation 6. DHS has begun to establish\n     training objectives based on security roles to facilitate a more robust\n     training program for the department. Initially, the department plans to\n     focus on the highest risk security positions.\n\n     We agree that the steps DHS plans to take satisfy this recommendation.\n\n     DHS concurred with recommendation 7. The department has revised\n     its FY 2009 Information Security Performance Plan to ensure\n     compliance with FDCC requirements. Specifically, DHS has\n     incorporated key FDCC compliance milestones into configuration\n     management metrics. In addition, the criteria for Acquisition Reviews\n     are being updated to incorporate FDCC requirements.\n\n     We agree that the steps DHS plans to take satisfy this recommendation.\n\n     DHS concurred with recommendation 8. DHS has implemented a\n     weekly report to track the status of the PIAs and system of records\n     notices. With these weekly reports, DHS can determine whether the\n     PIAs and system of records notices are being updated by the\n     components, reviewed by the Privacy Office, General Counsel, and\n     OMB, or have not been assigned.\n\n     We agree that the steps DHS plans to take satisfy this recommendation.\n\n     DHS concurred with recommendation 9. DHS is working to establish\n     the rules in accordance with OMB M-07-16. The department plans to\n     complete the rules and incorporate them into the PII Handbook by\n\nEvaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2008\n\n                               Page 18\n\x0c     December 2008. Once the rules are established, the Chief Human\n     Capital Office and General Counsel will be responsible for developing\n     the consequences of non-compliance for system users. Upon\n     completion of both tasks, DHS will develop a training program to\n     educate employees, contractors, and other personnel who may be\n     impacted by the requirement.\n\n     We agree that the steps DHS plans to take satisfy this recommendation.\n\n\n\n\nEvaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2008\n\n                               Page 19\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n\n\n                    The objective of this review was to determine whether DHS has developed\n                    adequate and effective information security policies, procedures, and\n                    practices, in compliance with FISMA. In addition, we evaluated DHS\xe2\x80\x99\n                    progress in developing, managing, and implementing its information security\n                    program.\n\n                    Our independent evaluation focused on DHS\xe2\x80\x99 information security program\n                    and practices, based on the requirements outlined in FISMA and, using OMB\n                    Memorandum M-08-21, FY 2008 Reporting Instructions for the Federal\n                    Information Security Management Act and Agency Privacy Management,\n                    issued on July 14, 2008. We conducted our work at the program level and at\n                    DHS\xe2\x80\x99 major components: CBP, FEMA, ICE, Management, Operation\n                    Coordination, National Protection and Programs Directorate, S&T, TSA,\n                    USCIS, USCG, U.S. Visitor and Immigrant Status Indicator Technology, and\n                    United States Secret Service (USSS).\n\n                    In addition to our independent evaluation, we conducted reviews of DHS\xe2\x80\x99\n                    information systems and security program-related areas throughout\n                    FY 2008. This report includes the results of a limited number of systems\n                    evaluated during the year and our on-going financial statement review,\n                    including the Automated Commercial Environment, Automated Targeting\n                    System, Chet Holifield Federal Building, and USCG network security audits.\n\n                    As part of our evaluation of DHS\xe2\x80\x99 compliance with FISMA, we assessed DHS\n                    and its components\xe2\x80\x99 compliance with the security requirements mandated by\n                    FISMA and other federal information systems\xe2\x80\x99 security policies, procedures,\n                    standards, and guidelines including NIST SP 800-37, and FIPS 199.\n                    Specifically, we: (1) used last year\xe2\x80\x99s FISMA independent evaluation as a\n                    baseline for this year\xe2\x80\x99s review and assessed the progress that DHS has made\n                    in resolving weaknesses previously identified; (2) focused on reviewing DHS\xe2\x80\x99\n                    POA&M process to ensure that all security weaknesses are identified, tracked,\n                    and addressed; (3) reviewed policies, procedures, and practices that DHS has\n                    implemented at the program level and at the component level; (4) evaluated\n                    processes, i.e., system inventory, C&A, security training, and incident\n                    response, that DHS has implemented as part of its agency-wide information\n                    security program; and, (5) developed our independent evaluation of DHS\xe2\x80\x99\n                    information security program.\n\n                    We reviewed the quality of the C&A packages for a sample of 25 systems at\n                    12 components and offices: CBP, Management, FEMA, ICE, Operation\n                    Coordination, NPPD, S&T, TSA, USCIS, USCG, US-VISIT, and USSS, to\n                    ensure that all of the required documents were completed prior to system\n                    accreditation. In addition, we evaluated the implementation of DHS\xe2\x80\x99 baseline\n\n                     Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2008\n\n                                                Page 20\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n\n                    configurations and compliance with selected NIST SP 800-53 controls for 28\n                    systems at CBP, FEMA, ICE, Management, TSA, USCG, and USCIS.\n\n                    We conducted our evaluation between May and August 2008 under the\n                    authority of the Inspector General Act of 1978, as amended, and according to\n                    the Quality Standards for Inspections issued by the President\xe2\x80\x99s Council on\n                    Integrity and Efficiency. Major OIG contributors to the evaluation are\n                    identified in Appendix L.\n\n                    The principal OIG points of contact for the evaluation are Frank Deffer,\n                    Assistant Inspector General, Office of Information Technology at\n                    (202) 254-4100 and Edward G. Coleman, Director, Information Security\n                    Audit Division at (202) 254-5444.\n\n\n\n\n                     Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2008\n\n                                                Page 21\n\x0cAppendix B\nManagement Response to Draft Report\n\n\n\n\n                  Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2008 \n\n\n                                                Page 22 \n\n\x0cAppendix B\nManagement Response to Draft Report\n\n\n\n\n                  Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2008 \n\n\n                                                Page 23 \n\n\x0cAppendix B\nManagement Response to Draft Report\n\n\n\n\n                  Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2008 \n\n\n                                                Page 24 \n\n\x0cAppendix C\nFISMA Scorecard and C&A Steady State Scorecard for July 2008\n\n\n\n\n                  Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2008 \n\n\n                                                Page 25 \n\n\x0cAppendix C\nFISMA Scorecard and C&A Steady State Scorecard for July 2008\n\n\n\n\n                      Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2008 \n\n\n                                                 Page 26 \n\n\x0cAppendix D\nFISMA System Inventory and Certification and Accreditation, Security Controls Testing, and Contingency Plan Testing\n\n\n\n\n                                                                                      Question 1: FISMA System Inventory\n1. As required in FISMA, the IG shall evaluate a representative subset of systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency.\n\nIn the table below, identify the number of agency and contractor information systems, and the number reviewed, by component/bureau and FIPS 199 system impact level (high, moderate, low, or not categorized).\nExtend the worksheet onto subsequent pages if necessary to include all Component/Bureaus.\n\nAgency systems shall include information systems used or operated by an agency. Contractor systems shall include information systems used or operated by a contractor of an agency or other organization on behalf of an\nagency. The total number of systems shall include both agency systems and contractor systems.\n\nAgencies are responsible for ensuring the security of information systems used by a contractor of their agency or other organization on behalf of their agency; therefore, self reporting by contractors does not meet the\nrequirements of law. Self-reporting by another Federal agency, for example, a Federal service provider may be sufficient. Agencies and service providers have a shared responsibility for FISMA compliance.\n\n                                       Question 2: Certification and Accreditation, Security Controls Testing, and Contingency Plan Testing\n2. For the Total Number of Systems reviewed by the IG by Component/Bureau and FIPS System Impact Level in the table for Question 1, identify the number and percentage of systems which have: a current\ncertification and accreditation, security controls tested and reviewed within the past year, and a contingency plan tested in accordance with policy.\n\n                                                                   Question 1                                                                                           Question 2\n                                          a.                         b.                               c.                                a.                                    b.                                   c.\n                                    Agency Systems           Contractor Systems           Total Number of Systems             Number of systems                 Number of systems for which          Number of systems for which\n                                                                                          (Agency and Contractor            certified and accredited          security controls have been tested     contingency plans have been\n                                                                                                  systems)                             (a)                      and reviewed in the last year         tested in accordance with\n                                                                                                                                                                                                                 policy\n  Bureau      FIPS 199 Risk                      Number                     Number         Total      Total Number\n                                  Number                    Number                                                      Total Number       Percent of Total   Total Number     Percent of Total     Total Number Percent of Total\n   Name       Impact Level                      Reviewed                   Reviewed       Number       Reviewed\nCBP          High                                       3                             0           0                 3                  3               100%               3                  100%                 3          100%\n             Moderate                                   6                             0           0                 6                  6               100%               6                  100%                 6          100%\n             Sub-total                     40           9            1                0          41                 9                  9               100%               9                  100%                 9          100%\nCIS          Moderate                                   5                             4           0                 9                  7                78%               7                   78%                 7           78%\n             Sub-total                     60           5          36                 4          96                 9                  7                78%               7                   78%                 7           78%\nFEMA         High                                       1                             2           0                 3                  3               100%               3                  100%                 3          100%\n             Moderate                                   2                             3           0                 5                  5               100%               5                  100%                 5          100%\n             Sub-total                     35           3          21                 5          56                 8                  8               100%               8                  100%                 8          100%\nFLETC        Sub-total                      9           0           4                 0          13                 0                  0                 0%               0                    0%                 0            0%\nI&A          Sub-total                      2           0           1                 0           3                 0                  0                 0%               0                    0%                 0            0%\nICE          High                                       1                             0           0                 1                  1               100%               1                  100%                 1          100%\n             Moderate                                   3                             3           0                 6                  6               100%               5                   83%                 6          100%\n             Low                                        0                             1           0                 1                  1               100%               1                  100%                 1          100%\n             Sub-total                     32           4          47                 4          79                 8                  8               100%               7                   88%                 8          100%\n\n\n\n\n                                                                         Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2008\n                                                                                                                                                              \n\n\n\n                                                                                                             Page 27\n                                                                                                                        \n\n\x0cAppendix D\nFISMA System Inventory and Certification and Accreditation, Security Controls Testing, and Contingency Plan Testing\n\n\n\n                                                 Question 1                                                                                        Question 2\n                            a.                      b.                            c.                                a.                                    b.                                 c.\n                      Agency Systems        Contractor Systems        Total Number of Systems             Number of systems                 Number of systems for which        Number of systems for which\n                                                                      (Agency and Contractor            certified and accredited          security controls have been tested   contingency plans have been\n                                                                              systems)                             (a)                      and reviewed in the last year       tested in accordance with\n                                                                                                                                                                                           policy\n\nITSO ISD High                          2                         1            0                 3                 3                100%              3                 100%              3            100%\n\n         Moderate                      1                         1            0                 2                 2                100%              2                 100%              1             50%\n         Sub-total          9          3        14               2           23                 5                 5                100%              5                 100%              4             80%\nNPPD     High                          0                         1            0                 1                 1                100%              1                 100%              1            100%\n         Sub-total          7          0        12               1           19                 1                 1                100%              1                 100%              1            100%\nOIG      Sub-total          3          0         0               0            3                 0                 0                  0%              0                   0%              0              0%\nOIS      Sub-total          1          0         1               0            2                 0                 0                  0%              0                   0%              0              0%\nOPS      High                          1                         0            0                 1                 1                100%              1                 100%              1            100%\n         Sub-total          2          1         1               0            3                 1                 1                100%              1                 100%              1            100%\nS&T      Moderate                      0                         1            0                 1                 1                100%              1                 100%              1            100%\n         Low                           0                         1            0                 1                 1                100%              1                 100%              1            100%\n         Sub-total          7          0        12               2           19                 2                 2                100%              2                 100%              2            100%\nTSA      High                          1                         2            0                 3                 3                100%              3                 100%              3            100%\n         Moderate                      2                         2            0                 4                 4                100%              4                 100%              4            100%\n         Low                           1                         0            0                 1                 1                100%              1                 100%              1            100%\n         Sub-total         51          4        29               4           80                 8                 8                100%              8                 100%              8            100%\nUSCG     High                          0                         1            0                 1                 1                100%              1                 100%              1            100%\n         Moderate                      3                         2            0                 5                 5                100%              5                 100%              4             80%\n         Low                           2                         1            0                 3                 3                100%              3                 100%              3            100%\n         Sub-total         93          5        29               4          122                 9                 9                100%              9                 100%              8             89%\nUSSS     Moderate                      1                         0            0                 1                 1                100%              1                 100%              0              0%\n         Sub-total         24          1         1               0           25                 1                 1                100%              1                 100%              0              0%\nUS-VISIT Moderate                      1                         0            0                 1                 1                100%              1                 100%              1            100%\n         Sub-total          1          1         6               0            7                 1                 1                100%              1                 100%              1            100%\nAgency\n         High               0           9        0                7           0             16                  16                 100%             16                 100%             16            100%\nTotals\n         Moderate           0          24        0               16           0             40                  38                  95%             37                  93%             35             88%\n         Low                0           3        0                3           0              6                   6                 100%              6                 100%              6            100%\n         Total            376          36      215               26         591             62                  60                  97%             59                  95%             57             92%\n\n\n\n\n                                                     Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2008\n                                                                                                                                          \n\n\n\n                                                                                        Page 28\n                                                                                                    \n\n\x0cAppendix E\nEvaluation of Agency Oversight of Contractor Systems and Quality of Agency System Inventory\n\n\n\nQuestion 3: Evaluation of Agency Oversight of Contractor Systems and Quality of Agency\n                                  System Inventory\n   3.a.   The agency performs oversight and evaluation to ensure information\n          systems used or operated by a contractor of the agency or other\n          organization on behalf of the agency meet the requirements of FISMA,\n          OMB policy and NIST guidelines, national security policy, and agency\n          policy.\n\n          Agencies are responsible for ensuring the security of information systems\n          used by a contractor of their agency or other organization on behalf of their\n          agency; therefore, self-reporting by contractors does not meet the\n                                                                                        - Almost Always- for example,\n          requirements of law. Self-reporting by another federal agency, for example, a\n                                                                                        approximately 96-100% of the time\n          federal service provider may be sufficient. Agencies and service providers\n          have a shared responsibility for FISMA compliance.\n\n          Response Categories:\n           - Rarely- for example, approximately 0-50% of the time\n           - Sometimes- for example, approximately 51-70% of the time\n           - Frequently- for example, approximately 71-80% of the time\n           - Mostly- for example, approximately 81-95% of the time\n           - Almost Always- for example, approximately 96-100% of the time\n   3.b.   The agency has developed a complete inventory of major information\n          systems (including major national security systems) operated by or under\n          the control of such agency, including an identification of the interfaces\n          between each such system and all other systems or networks, including\n          those not operated by or under the control of the agency.\n                                                                                      - The inventory is approximately 96-\n          Response Categories:\n                                                                                      100% complete\n           -   The inventory is approximately 0-50% complete\n           -   The inventory is approximately 51-70% complete\n           -   The inventory is approximately 71-80% complete\n           -   The inventory is approximately 81-95% complete\n           -   The inventory is approximately 96-100% complete\n\n          The IG generally agrees with the CIO on the number of agency-owned\n   3.c.                                                                                                Yes\n          systems. Yes or No.\n\n          The IG generally agrees with the CIO on the number of information\n   3.d.   systems used or operated by a contractor of the agency or other                              Yes\n          organization on behalf of the agency. Yes or No.\n\n   3.e.   The agency inventory is maintained and updated at least annually.                            Yes\n\n          If the Agency IG does not evaluate the Agency\'s inventory as 96-100% complete, please identify the known\n   3.f    missing systems by Component/Bureau, the Unique Project Identifier (UPI) associated with the system as\n          presented in your FY2008 Exhibit 53 (if known), and indicate if the system is an agency or contractor system.\n\n\n\n\n                        Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2008\n\n\n                                                        Page 29 \n\n\x0cAppendix E\nEvaluation of Agency Oversight of Contractor Systems and Quality of Agency System Inventory\n\n\n\nComponent/Bureau           System Name               Exhibit 53 UPI            Agency or Contractor\n                                                    (must be 23-digit)               system?\n\n\n\n\nNumber of known systems missing from\ninventory:\n\n\n\n\n                  Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2008\n\n\n                                                Page 30 \n\n\x0cAppendix F\nEvaluation of Agency Plan of Action and Milestones Process\n\n\n\n       Question 4: Evaluation of Agency Plan of Action and Milestones (POA&M) Process\nAssess whether the agency has developed, implemented, and is managing an agency-wide plan of action and\nmilestones (POA&M) process. Evaluate the degree to which each statement reflects the status in your agency\nby choosing from the responses provided. If appropriate or necessary, include comments in the area\nprovided.\n\nFor each statement in items 4.a. through 4.f., select the response category that best reflects the agency\'s\nstatus.\n\nResponse Categories:\n - Rarely- for example, approximately 0-50% of the time\n - Sometimes- for example, approximately 51-70% of the time\n - Frequently- for example, approximately 71-80% of the time\n - Mostly- for example, approximately 81-95% of the time\n - Almost Always- for example, approximately 96-100% of the time\n          The POA&M is an agency-wide process, incorporating all known IT                            - Almost Always- for example,\n          security weaknesses associated with information systems used or                            approximately 96-100% of the\n   4.a.                                                                                              time (a)\n          operated by the agency or by a contractor of the agency or other\n          organization on behalf of the agency.\n          When an IT security weakness is identified, program officials                              - Mostly- for example,\n   4.b. (including CIOs, if they own or operate a system) develop,                                   approximately 81-95% of the time\n          implement, and manage POA&M for their system(s).                                           (b)\n          Program officials and contractors report their progress on security                        - Mostly- for example,\n   4.c. weakness remediation to the CIO on a regular basis (at least                                 approximately 81-95% of the time\n          quarterly).                                                                                (c )\n                                                                                 - Almost Always- for example,\n             Agency CIO centrally tracks, maintains, and reviews POA&M\n      4.d.                                                                       approximately 96-100% of the\n             activities on at least a quarterly basis.                           time (d)\n                                                                                 - Mostly- for example,\n      4.e.   IG findings are incorporated into the POA&M process.                approximately 81-95% of the time\n                                                                                 (e)\n             POA&M process prioritizes IT security weaknesses to help ensure - Mostly- for example,\n      4.f.   significant IT security weaknesses are addressed in a timely manner approximately 81-95% of the time\n             and receive appropriate resources.                                  (f)\nPOA&M comments:\n\n(a)   DHS requires all known IT security weaknesses to be included in DHS\xe2\x80\x99 enterprise management tool.\n(b)   DHS requires components to create POA&M for all IT security weaknesses. However, our review determined that POA&Ms were not\n      created for all identified IT security weaknesses. Specifically, 217 (84%) of 259 of all recommendations cited in OIG audit reports\n      (including Notice of Findings and Recommendations [NFRs]) had corresponding POA&Ms in DHS\xe2\x80\x99 enterprise management tool.\n(c)   DHS components are required to update all information in their POA&Ms at least monthly. Of the 4,245 open POA&M in DHS\xe2\x80\x99 enterprise\n      management tool, 491 (12%) have estimated completion dates that are at least three months past due. Furthermore, there are 252 (6%)\n      POA&M that have estimated completion dates that are at least 12 months past due.\n(d)   The CIO regularly performs quality reviews (automated) on all POA&Ms to ensure that information entered into DHS\xe2\x80\x99 enterprise\n      management tool is accurate, reasonable, and complete. In addition, the CIO prepares a monthly report to help monitor the components\'\n      progress.\n(e)   DHS requires all OIG findings be included in each component\xe2\x80\x99s POA&M. We determined that 217 (84%) of 259 of all recommendations\n      cited in OIG audit reports (including NFRs) had corresponding POA&Ms in DHS\xe2\x80\x99 enterprise management tool.\n(f)   DHS has prioritized all POA&M (IT security weaknesses) in DHS\xe2\x80\x99 enterprise management tool. However, there are 11 significant\n      weaknesses that were reported at seven components. Five of the 11 significant weaknesses were created over 12 months ago (before\n      June 30, 2007). Of these five POA&M, four were scheduled to take more than two years to remediate. In addition, of the 4,245 open\n      POA&M in DHS\xe2\x80\x99 enterprise management tool, there are 491 POA&M that are three months past due and 252 POA&M that are 12 months\n      past due. Furthermore, we determined that many of the POA&M are not completed as originally scheduled. For example, our query results\n      determined that 1,978 (47%) out of 4,245 open POA&M have been delayed.\n\n\n\n\n                             Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2008\n\n\n                                                                 Page 31 \n\n\x0cAppendix G\nIG Assessment of the Certification and Accreditation Process\n\n\n\n          Question 5: IG Assessment of the Certification and Accreditation Process\n Provide a qualitative assessment of the agency\'s certification and accreditation process, including\n adherence to existing policy, guidance, and standards. Provide narrative comments as appropriate.\n\n Agencies shall follow NIST Special Publication 800-37, "Guide for the Security Certification and Accreditation\n of Federal Information Systems" (May 2004) for certification and accreditation work initiated after May 2004.\n This includes use of the FIPS 199, "Standards for Security Categorization of Federal Information and\n Information Systems" (February 2004) to determine a system impact level, as well as associated NIST document\n used as guidance for completing risk assessments and security plans.\n\n          The IG rates the overall quality of the Agency\'s\n          certification and accreditation process as:\n\n          Response Categories:\n   5.a.    - Excellent                                                                - Good\n           - Good\n           - Satisfactory\n           - Poor\n           - Failing\n\n          The IG\'s quality rating included or considered Security plan                                      X\n          the following aspects of the C&A process: (check\n          all that apply)                                  System impact level                              X\n                                                           System test and evaluation                       X\n                                                                Security control testing                    X\n    5.b                                                         Incident handling                           X\n                                                                Security awareness training                 X\n                                                                Configurations/patching                      X\n                                                                Other: privacy impact assessment, risk\n                                                                assessment, contingency plan, contingency plan\n                                                                testing, security assessment report\n C&A process comments:\n\n (a) DHS has implemented a good C&A process. DHS uses a department-wide tool that incorporates NIST\n     security controls to certify and accredit all systems. The CIO requires all components to use this tool.\n     Components are required to apply NIST SP 800-53 security controls for all system certifications.\n     However, for many systems, the artifacts that are required to certify and accredit a system were either\n     missing or incomplete. Our review of 25 C&A packages at 12 components and offices found two\n     instances in which accreditation packages were incomplete. In addition, we identified that other systems\n     were accredited, though some key security documents were missing information that is required to meet\n     all applicable DHS, OMB, and NIST guidelines.\n\n\n\n\n                      Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2008\n\n\n                                                    Page 32 \n\n\x0cAppendix H\nIG Assessment of Agency Privacy Program and Privacy Impact Assessment Process\n\n\n         Question 6-7: IG Assessment of Agency Privacy Program and Privacy Impact\n                                 Assessment (PIA) Process\n    6.    Provide a qualitative assessment of the agency\'s Privacy Impact\n          Assessment (PIA) process, as discussed in Section D Question #5\n          (SAOP reporting template), including adherence to existing\n          policy, guidance, and standards.\n\n          Response Categories:                                                                          - Good\n           - Excellent\n           - Good\n           - Satisfactory\n           - Poor\n           - Failing\n\n\n Comments:\n\n DHS has established a PIA process. The Privacy Office requires a privacy threshold analysis (PTA) for all systems to\n determine whether a PIA is needed. PTAs are specifically developed to identify which systems in the DHS information\n systems inventory collect or use personally identifiable information (PII), which systems require a PIA, and which need a\n Privacy Act System of Records Notice. The PIA guidance provides information on when a PIA must be conducted, how\n associated analysis should be performed, and how the PIA document should be written. Further, the Privacy Office\n continues to refine its policies since our last review, such as Privacy Technology Implementation Guide (PTIG), and\n Privacy Incident Handling Guidance (PIHG).\n\n The Privacy Office has a backlog in reviewing and approving PIAs. As of July 21, 2008, there were 76 PIAs in various\n stages of review.\n\n\n    7. \t Provide a qualitative assessment of the agency\'s progress to date\n\n         in implementing the provisions of M-07-16, "Safeguarding Against\n\n         and Responding to the Breach of Personally Identifiable \n\n         Information\xe2\x80\x9d.\n\n\n          Response Categories:                                                                      - Satisfactory\n           - Excellent\n           - Good\n           - Satisfactory\n           - Poor\n           - Failing\n\n\n\n Comments:\n\n DHS has implemented the majority of M-07-16 requirements. For example, the Privacy Office has issued a breach notification\n policy, developed an implementation plan to eliminate the unnecessary collection and use of social security numbers, and\n drafted a plan to review and to reduce holding of PII.\n\n DHS has not outlined the consequences of non-compliance in its rules of behavior.\n\n\n\n\n                         Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2008\n\n\n                                                           Page 33 \n\n\x0cAppendix I\nConfiguration Management\n\n\n\n                                    Question 8: Configuration Management\n\n        8.a.    Is there an agency-wide security configuration policy? Yes\n                                                                                                         Yes\n                or No.\n                Comments:\n                DHS has included in its agency-wide policy a requirement that all components ensure that the installation\n                of hardware and software products meet requirements specified in applicable DHS secure baseline\n                configuration guides. DHS has developed configuration guides for all major hardware and software\n                systems being used by its components.\n                Approximate the extent to which applicable information\n        8.b.    systems implement security configurations available from\n                the National Institute of Standards and Technology\xe2\x80\x99s\n                website at http://checklists.nist.gov.\n\n                Response categories:\n                                                                                                  See comment (a)\n                  - Rarely- for example, approximately 0-50% of the time\n                  - Sometimes- for example, approximately 51-70% of the time\n                  - Frequently- for example, approximately 71-80% of the time\n                  - Mostly- for example, approximately 81-95% of the time\n                  - Almost Always- for example, approximately 96-100% of the\n                time\n         8c    Indicate which aspect of Federal Desktop Core Configuration (FDCC) have been implemented as of this\n               report:\n\n               c.1 Agency has adopted and implemented FDCC standard Configuration and has\n                   documented deviations.                                                                        No (b)\n                   Yes or No\n               c.2 New Federal Acquisition Regulation 2007-004 language, which modified \xe2\x80\x9cPart\n                   39-Acquisition of Information Technology\xe2\x80\x9d, is included in all contracts related to            No (c)\n                   common security settings. Yes or No\n               c.3 All Windows XP and VISTA computing systems have implemented the FDCC\n                   security settings. Yes or No.                                                                 No (d)\n\n\nComments:\n\n(a)\t Many of the components use standard configurations for their systems, but have not fully implemented DHS\'\n     baseline configuration guides. As part of our C&A and configuration reviews, we identified that DHS\xe2\x80\x99 baseline\n     configuration settings have not been fully implemented on all of the systems selected. Results of vulnerability\n     assessments during the fiscal year have identified additional security concerns, including inadequate password\n     controls and patches that had not been installed.\n(b) DHS is in the process of documenting deviations from FDCC settings.\n(c)\t DHS is in the process of drafting its standard FDCC contract language for all IT acquisitions.\n(d) DHS cannot implement the settings on its Windows XP and Vista desktops and laptops until the department\n     completes documenting deviations from FDCC.\n\n\n\n\n                        Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2008\n\n\n                                                          Page 34 \n\n\x0cAppendix J\nIncident Reporting\n\n\n\n                                     Question 9: Incident sReporting\n    Indicate whether or not the agency follows documented policies and procedures for reporting incidents\n    internally,\n    to US-CERT, and to law enforcement. If appropriate or necessary, include comments in the area\n    provided below.\n             The agency follows documented policies and procedures for identifying\n      9.a.                                                                                   Yes\n             and reporting incidents internally. Yes or No.\n             The agency follows documented policies and procedures for external\n      9.b.                                                                                   Yes\n             reporting to US-CERT. Yes or No. (http://www.us-cert.gov)\n             The agency follows documented policies and procedures for reporting to\n      9.c.                                                                                   Yes\n             law enforcement. Yes or No.\n\n    Comments:\n\n\n\n\n                     Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2008\n\n\n                                                   Page 35 \n\n\x0cAppendix K\nSecurity Awareness Training, Collaborative web technologies, Peer-to-Peer File Sharing, and E-\nAuthentication Risk Assessments\n\n\n\n                                     Question 10: Security Awareness Training\n  Has the agency ensured security awareness training of all employees, including\n  contractors and those employees with significant IT security responsibilities?\n\n  Response Categories:                                                                                     - Mostly, or,\n   - Rarely- or approximately 0-50% of employees                                                           approximately 81-95% of\n   - Sometimes- or approximately 51-70% of employees                                                       employees\n   - Frequently- or approximately 71-80% of employees\n   - Mostly- or approximately 81-95% of employees\n   - Almost Always- or approximately 96-100% of employees\n\n  Comments:\n  The Training Office is validating components\xe2\x80\x99 training data to ensure that the components provide IT security\n  awareness training to their employees. The Training Office has not determined what training is needed for\n  individuals with significant IT security responsibilities (including network, database, and system administrators).\n\n           Question 11: Collaborative Web Technologies and Peer-to-Peer File Sharing\n  A. Does the agency explain policies regarding the use of collaborative web\n     technologies in IT security awareness training, ethics training, or any other\n                                                                                                                          No\n     agency-wide training? Yes or No.\n  B. Does the agency explain policies regarding the use of peer-to-peer file sharing\n     in IT security awareness training, ethics training, or any other agency-wide                                        Yes\n     training? Yes or No.\n\n\n\n                                Question 12: E-Authentication Risk Assessments\n  12. a. Has the agency identified all e-authentication applications and validated that the\n  applications have operationally achieved the required assurance level in accordance with                              Yes (a)\n  the NIST Special Publication 800-63, \xe2\x80\x9cElectronic Authentication Guidelines\xe2\x80\x9d? Yes or No.\n  12.b. If the response is \xe2\x80\x9cNo\xe2\x80\x9d, then please identify the systems in which the agency has not\n  implemented the e-authentication guidance and indicate if the agency has a planned date of\n  remediation.\n\n\n\n\n  (a) We sampled 23 systems that were reported as E-Authentication applications in DHS\xe2\x80\x99 enterprise management tool to determine whether\n      the assessments were properly completed and applicable controls were implemented. For example, we found nine systems were reported\n      incorrectly as E-Authentication applications in DHS\xe2\x80\x99 enterprise management tool, when compared to the determination. As such, DHS\n      may not have an accurate inventory of its E-Authentication systems. In addition, 4 of the 14 E-Authentication systems had inconsistent\n      assurance levels reported in DHS\xe2\x80\x99 enterprise management tool when compared to the source documents. Only one of the 14\n      E-Authentication systems properly addressed the DHS and NIST required controls in the system test and evaluation plans and security\n      assessment reports for the assigned E-Authentication assurance levels.\n\n\n\n\n                           Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2008\n\n\n                                                                Page 36 \n\n\x0cAppendix L\nMajor Contributors to this Report\n\n\n\n                      Information Security Audit Division\n\n                      Edward G. Coleman, Director\n                      Chiu-Tong Tsang, Audit Manager\n                      Barbara Bartuska, Audit Manager\n                      Mike Horton, Information Technology Officer\n                      Maria L. Rodriguez, Team Lead\n                      Aaron Zappone, Program Analyst\n                      Charles Twitty, IT Auditor\n                      Kristina Hayden, Program Analyst\n                      Nazia Khan, IT Specialist\n                      Thomas Rohrback, IT Specialist\n                      Peter Spano, Management/Program Assistant\n                      Meghan Sanborn, Referencer\n\n                      Advanced Technology Division\n\n                      John Molesky, Information Security Engineer\n                      Jordan Dixon, Information Security Engineer\n\n\n\n\n                   Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2008\n\n                                                 Page 37\n\x0cAppendix M\nReport Distribution\n\n\n\n                        Department of Homeland Security\n\n                        Secretary\n                        Deputy Secretary\n                        Chief of Staff\n                        Deputy Chief of Staff\n                        General Counsel\n                        Executive Secretary\n                        Assistant Secretary for Legislative Affairs\n                        Assistant Secretary for Policy\n                        Assistant Secretary for Public Affairs\n                        Chief Information Officer\n                        Deputy Chief Information Officer\n                        Chief Financial Officer\n                        Chief Privacy Officer\n                        Chief Human Capital Officer\n                        Chief Information Security Officer\n                        Director, GAO/OIG Liaison Office\n                        Director, Compliance and Oversight Program, Office of CIO\n                        Director, Privacy Compliance\n                        Chief Information Officer Audit Liaison\n                        Chief Information Security Officer Audit Liaison\n                        Privacy Office Audit Liaison\n                        Component CIOs\n                        Component ISSMs\n\n                        Office of Management and Budget\n\n                        Chief, Homeland Security Branch\n                        DHS OIG Budget Examiner\n\n                        Congress\n\n                        Congressional Oversight and Appropriations Committees, as appropriate\n\n\n\n\n                      Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2008\n\n\n                                                    Page 38 \n\n\x0cAdditional Information and Copies\n\nTo obtain additional copies of this report, call the Office of Inspector General\n(OIG) at (202) 254-4199, fax your request to (202) 254-4305, or visit the OIG web\nsite at www.dhs.gov/oig.\n\n\nOIG Hotline\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of\ncriminal or noncriminal misconduct relative to department programs or\noperations:\n\n    \xe2\x80\xa2    Call our Hotline at 1-800-323-8603;\n    \xe2\x80\xa2    Fax the complaint directly to us at (202) 254-4292;\n    \xe2\x80\xa2    Email us at DHSOIGHOTLINE@dhs.gov; or\n    \xe2\x80\xa2\t   Write to us at: \n\n           DHS Office of Inspector General/MAIL STOP 2600, \n\n           Attention: Office of Investigations - Hotline, \n\n           245 Murray Drive, SW, Building 410, Washington, DC 20528. \n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'